Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attempt to get feeder to use API credentials to authenticate to MQTT #31

Closed
mbillow opened this issue Nov 1, 2020 · 6 comments
Closed

Attempt to get feeder to use API credentials to authenticate to MQTT #31

mbillow opened this issue Nov 1, 2020 · 6 comments

Comments

@mbillow
Copy link
Member

mbillow commented Nov 1, 2020

According to the Konexios docs, the feeder uses its API key data to try and authenticate to the MQTT broker. We are able to get the feeder to connect by not enabling authentication on the broker, but this is a big security issue. It would be trivial to discover the broker, subscribe to the # topic, and replay the commands we send to control the feeder.

This would require us to generate and store actual API keys for feeders, instead of just returning random garbage on /gateways/{gateway_id}/config Kronos endpoint.
@mbillow
Copy link
Member Author

mbillow commented Nov 1, 2020

@kruton Can you take a look and see if "pegasus" is in the firmware anywhere. The docs make it sound like it is always the MQTT username.

@kruton
Copy link
Collaborator

kruton commented Nov 1, 2020

The only place it mentions pegasus is in this MQTT login function where VHOST "%s" ends up being identical to "/pegasus:%s".

@kruton
Copy link
Collaborator

kruton commented Nov 1, 2020

We can add a special authentication plugin for HBMQTT broker. There is some documentation in an issue on HBMQTT. Also, someone talked about it on gitter:

first you have to package your plugin class with a setup.py file contaning the following section :

entry_points = {
    'hbmqtt.broker.plugins': [
            ‘mongo_auth_plugin = hbmqtt.plugins.authentication:MongoAuthPlugin’,]
}

then you have to publish your package using pip (locally).
in the broker configuration file, don’t forget to add ‘mongo_auth_plugin’ to the list of auth.plugins
something like :

auth:
   plugins: [‘mongo_auth_plugin’, ‘auth_anonymous']

note that I’ve not tested this. I’m just writing what I would do ...

@mbillow
Copy link
Member Author

mbillow commented Nov 1, 2020

Yah, it looks like we should just be able to implement something simple that follows the pattern of their current auth plugins and reads from the SQLite DB

@kruton
Copy link
Collaborator

kruton commented Nov 2, 2020

I got it authenticating with a unique password, but it's still not a secure solution. Anyone could call the /config URL currently to get the API key as well. I suppose it makes the attack more difficult.

@mbillow
Copy link
Member Author

mbillow commented Nov 2, 2020

Well, it looks like we both spent time implementing something in this space. My fault for not being more clear on that front.

I had this same thought and was planning on digging into making our current HTTP calls also validate API keys. We could then have a togglable “discovery mode” that allows new feeders to connect and get new API keys.

@mbillow mbillow closed this as completed Nov 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kruton @mbillow